Note that we're adding &singleUse here. Logging in a sensitive action, so we only want each token to be used once. We're also setting the &key to login, which we'll need to also set in the Login snippet in a minute.

While for Formit we need to separately add an error placeholder to show when the security token isn't valid, that's not needed for Login. The [[+errors]] placeholder will show the error automatically.

The full example myLoginTpl chunk, including the csrf_token hidden field, now looks like this:

Validating the token with a hook

Now that we're submitting the token, we should also validate it. We do this with the csrfhelper_login pre-hook.

In the Login snippet call, add the csrfhelper_login to your &preHooks property.

Also add the &csrfKey property with the key for the CSRF token; this should be unique for each unique form and match the &key in the csrfhelper snippet call. In the example above, this was set to login.